04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe
Size

96KB
MD5

bf9bfca84a7bb3311b3c9d893a50b522
SHA1

84d36f7a74e3742dc9b7741e2483816e90ccfcc6
SHA256

04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6
SHA512

2f91186bb708616eb312991dc2a06ba45eaadba61794dd7c3320a1a356b1d615665b4e75c6278854d0d7bb96836dfdd94aa332c9e07099542011aa5f465f95f9
SSDEEP

1536:LfgLdQAQfcfymNBawjmDNTjSvhr/vy7H5qqqqqgapEd8s3:LftffjmNBaxp0rSkpEd7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3464	Logo1_.exe
932	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe
File created	C:\Windows\Logo1_.exe	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe
3464	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 5068	2388	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe	85
PID 2388 wrote to memory of 5068	2388	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe	85
PID 2388 wrote to memory of 5068	2388	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe	85
PID 2388 wrote to memory of 3464	2388	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe	86
PID 2388 wrote to memory of 3464	2388	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe	86
PID 2388 wrote to memory of 3464	2388	04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe	86
PID 3464 wrote to memory of 2180	3464	Logo1_.exe	88
PID 3464 wrote to memory of 2180	3464	Logo1_.exe	88
PID 3464 wrote to memory of 2180	3464	Logo1_.exe	88
PID 2180 wrote to memory of 4024	2180	net.exe	91
PID 2180 wrote to memory of 4024	2180	net.exe	91
PID 2180 wrote to memory of 4024	2180	net.exe	91
PID 5068 wrote to memory of 932	5068	cmd.exe	94
PID 5068 wrote to memory of 932	5068	cmd.exe	94
PID 5068 wrote to memory of 932	5068	cmd.exe	94
PID 3464 wrote to memory of 3512	3464	Logo1_.exe	55
PID 3464 wrote to memory of 3512	3464	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe
  "C:\Users\Admin\AppData\Local\Temp\04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB4F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe
      "C:\Users\Admin\AppData\Local\Temp\04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe"
      4⤵
      Executes dropped EXE
      PID:932
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
97d5447954f2eb0df588787b6ecb252c

SHA1
b6a7cb5457e064d4bccfc837e20d82d89e5a2cf4

SHA256
edad72416ffa909db11d7d6cfe30b2e56be62772319de63a1bfbf8986dca8753

SHA512
08e69f4ca2d5f8bced53e0f79784274fa079d3357e217eef71bdbe50adf4c978ce5a279032f9579b085620d6a4cba0516e495d81c3d3140b389a6240a359e2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCB4F.bat

Filesize
722B

MD5
1bdd9b5bf4305f566a86c03d1f43bbed

SHA1
2700929ca5ce33ebc30adcd49b99743764a4f3ea

SHA256
9251d1152c01375c2872fa8f47fb29df8f67854421c4863bfd9daf94d9313997

SHA512
42963c80fde635417743f0bea31ea999f9e609645182b68a4b608fc0663810879a219fa7eebeeb167b644a9bafa320c03115dae138c42ed5574bf676c08fcd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\04e037173602a9538735bae966badfe5384d6e06860b737ae055e0e5b69d10c6.exe.exe

Filesize
69KB

MD5
b54edf5cd1cd3698d1f9b43d30efa678

SHA1
e5551b886cad5c445c7e2e38014725cf98bcf7ac

SHA256
74d6afbca51944638bdfee995f2244772fe14781d6f99d25649482415b8194a5

SHA512
9f5bb9ddca611c52686240a24f0ffe80d5302c834a46ec2870e6d98d58bb1da047876070c3e64fe4dee9fa500f3f7707dcac641cf7c463812be49cfebb655460

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
1eb297a4f27e72b32ffbc165a5a66c1b

SHA1
c432d9ad68b7cb178aefc5e49db2ea9006d4bc6b

SHA256
8fcb9444ee983ee6da9b67e4ee0e7ee98edab51eb18b02595ddb63322102a974

SHA512
ce1b82829b31985c41d16d6b5125cc6c4367f42eaaaa74cd24e20f7ea076c19c141ab03a6cd73b2c64888e58b1e8346e32deab1c8b44e8d5b00fd401d45b2a7c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-776854024-226333264-2052258302-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/2388-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-1231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download